iemejia commented on code in PR #3862:
URL: https://github.com/apache/avro/pull/3862#discussion_r3567399307


##########
lang/ruby/lib/avro/io.rb:
##########
@@ -103,10 +120,43 @@ def read_string
       end
 
       def read(len)
-        # Read n bytes
+        # Read n bytes. Reject a declared length that exceeds the bytes
+        # actually remaining before allocating for it, to guard against an
+        # out-of-memory attack from a malicious or truncated input. The check
+        # is only applied to larger reads; smaller reads and stream readers 
that
+        # cannot report their size fall back to reading directly.
+        if len < 0
+          # A negative length would make IO#read return the rest of the stream,
+          # which bypasses the size check and can allocate without bound.
+          raise AvroError, "Cannot read a negative number of bytes: #{len}"
+        end
+        if len > MAX_UNCHECKED_READ
+          remaining = bytes_remaining
+          if remaining && len > remaining
+            raise AvroError, "Cannot read #{len} bytes, only #{remaining} 
remaining"
+          end
+        end
         @reader.read(len)
       end

Review Comment:
   Fixed — `read` now raises AvroError if the underlying IO returns fewer than 
`len` bytes (or nil), so a truncated/partial read is rejected rather than 
silently yielding corrupt data.



##########
lang/ruby/lib/avro/io.rb:
##########
@@ -481,11 +546,14 @@ def skip_union(writers_schema, decoder)
       end

Review Comment:
   Fixed — `skip_union` now applies the same `[0, schemas.size)` bounds check 
as `read_union` and raises AvroError on an out-of-range/negative index.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to